Overview
TestDisk is a powerful open-source data recovery tool designed to recover lost or deleted partitions and repair corrupted filesystems. It can recover lost partitions, rebuild partition tables, and restore deleted files across multiple filesystem types. TestDisk is essential for digital forensics, disaster recovery, and data recovery operations in security assessments and incident response scenarios.
Installation
Debian/Ubuntu
sudo apt-get update
sudo apt-get install testdisk
macOS
brew install testdisk
From Source
wget https://www.cgsecurity.org/testdisk-7.1.tar.bz2
tar -xjf testdisk-7.1.tar.bz2
cd testdisk-7.1
./configure
make
sudo make install
Verify Installation
testdisk --version
testdisk --help
Core Components
| Tool | Purpose |
|---|
testdisk | Partition recovery and filesystem repair |
photorec | File recovery from any storage media |
fidentify | File type identification |
Basic TestDisk Usage
Interactive Mode
# Start interactive TestDisk
sudo testdisk
# Follow prompts to:
# 1. Select storage device
# 2. Choose partition table type
# 3. Analyze and recover partitions
Command-Line Mode
# List available disks
testdisk /list
# Analyze specific disk
sudo testdisk /dev/sda
# Verbose logging
sudo testdisk /debug /dev/sda
Device and Partition Selection
List Storage Devices
# List all block devices
lsblk
# List disks with TestDisk
testdisk /list
# Show detailed information
sudo fdisk -l
# List partitions
sudo parted -l
Select Target Device
# Specify device in TestDisk
testdisk /dev/sda
# For USB devices
testdisk /dev/sdb
# For NVMe drives
testdisk /dev/nvme0n1
| Device | Type |
|---|
/dev/sda | Primary SATA drive |
/dev/sdb | Secondary SATA drive |
/dev/nvme0n1 | NVMe SSD |
/dev/sdc | USB device |
Partition Table Analysis
Detect Partition Type
# Intel partition table (MBR)
# FAT, NTFS, ext2/3/4
# GUID Partition Table (GPT)
# Modern EFI systems
# Advanced partition scheme
# Multiple partition types
Analyze Partition Structure
# Quick search
# Scans partition headers
# Deep search
# Analyzes entire drive
# Ignore geometry errors
# For corrupted MBR
Partition Recovery Workflow
Interactive Recovery Process
# 1. Connect storage device
sudo testdisk
# 2. Select device from list
# Select /dev/sda
# 3. Choose partition table type
# Intel (MBR) or EFI (GPT)
# 4. Analyze partitions
# Auto or Manual
# 5. View found partitions
# Verify partition types
# 6. Write partition table
# Confirm recovery
Recovery Options
| Option | Function |
|---|
Deeper Search | Comprehensive scan |
List Files | Browse recovered files |
Backup | Save partition table |
Write | Restore partition table |
PhotoRec: File Recovery
Start PhotoRec
# Launch PhotoRec
sudo photorec
# Follow menu to:
# 1. Select storage device
# 2. Choose filesystem
# 3. Select file types
# 4. Run recovery
File Type Selection
# Common file types
# Images: JPG, PNG, GIF, RAW
# Documents: DOC, PDF, XLS
# Video: MP4, MOV, AVI
# Archives: ZIP, RAR, 7Z
Recover Specific File Types
# JPG images only
# Select JPG from list
# PDF documents
# Select PDF
# All file types
# Select "All" option
Recovery Parameters
| Parameter | Purpose |
|---|
File Formats | Select specific types |
Filesystem | Target filesystem |
Search Path | Recovery location |
Blocksize | Sector size |
Advanced Partition Operations
Backup Partition Table
# Create MBR backup
sudo dd if=/dev/sda of=mbr_backup.bin bs=512 count=1
# Create GPT backup
sudo sgdisk /dev/sda -b=gpt_backup.bin
# Export partition table
sudo testdisk /dev/sda /backup=sda.bak
Restore Partition Table
# Restore from backup
sudo dd if=mbr_backup.bin of=/dev/sda bs=512 count=1
# Restore GPT
sudo sgdisk /dev/sda -l=gpt_backup.bin
# Verify restoration
sudo parted -l
Filesystem Repair
Check Filesystem Integrity
# Check ext4 filesystem
sudo fsck -n /dev/sda1
# Check NTFS
sudo ntfsck /dev/sda1
# Check FAT32
sudo fsck.vfat /dev/sda1
Repair Corrupted Filesystem
# Ext4 repair
sudo fsck.ext4 -y /dev/sda1
# NTFS repair
sudo ntfsck -r /dev/sda1
# FAT32 repair
sudo fsck.vfat -y /dev/sda1
Mount Recovered Filesystem
# Create mount point
sudo mkdir -p /mnt/recovered
# Mount ext4
sudo mount -t ext4 /dev/sda1 /mnt/recovered
# Mount NTFS
sudo mount -t ntfs /dev/sda1 /mnt/recovered
# Mount FAT32
sudo mount -t vfat /dev/sda1 /mnt/recovered
Data Carving and Recovery
Carve Files from Raw Sectors
# Start file carving
sudo photorec
# Select device
# Select filesystem
# Choose output directory
# Select file types
# Run recovery
# Monitor progress
watch -n 1 'find recovered_files -type f | wc -l'
Targeted Recovery
# Recover images from range
# Specify sector range
# Set file type filters
# Run carving operation
# Example: Last 10GB only
# Set start/end sectors appropriately
Practical Workflow Examples
Recover Deleted Partition
# 1. Connect storage to recovery machine
# 2. Run TestDisk
sudo testdisk
# 3. Select device (e.g., /dev/sdb)
# 4. Choose partition type (Intel or EFI)
# 5. Run Deeper Search
# 6. Verify found partitions
# 7. Write partition table
# 8. Reboot system
# 9. Verify recovered partition
sudo parted -l
Restore Files from Deleted Partition
# 1. Run TestDisk or PhotoRec
sudo photorec
# 2. Select device
# 3. Choose target filesystem
# 4. Specify output directory
# 5. Select file types
# 6. Run recovery process
# 7. Monitor progress
# 8. Access recovered files
ls -la recovered_files/
Full System Recovery Procedure
# 1. Boot from recovery USB
# 2. Connect external drive
# 3. Analyze damaged drive
sudo testdisk /dev/sda
# 4. Recover partition table
# 5. Mount partitions
sudo mkdir -p /mnt/sda1
sudo mount /dev/sda1 /mnt/sda1
# 6. Extract critical data
rsync -av /mnt/sda1/ /external_drive/
# 7. Use PhotoRec for additional files
sudo photorec
Incident Response Data Preservation
# 1. Create forensic image
sudo dd if=/dev/sda of=forensic_image.dd bs=4M status=progress
# 2. Analyze image with TestDisk
testdisk /dev/loop0 # After loop mount
# 3. Recover deleted files
sudo photorec /dev/sda
# 4. Document findings
ls -la recovered_files/ > recovery_log.txt
Automation Scripts
Batch Recovery Script
#!/bin/bash
DEVICE=$1
OUTPUT_DIR="/mnt/recovery_$(date +%Y%m%d_%H%M%S)"
mkdir -p "$OUTPUT_DIR"
echo "[*] Starting recovery for $DEVICE"
echo "[*] Output: $OUTPUT_DIR"
# Run PhotoRec in batch mode
# Note: TestDisk/PhotoRec have limited CLI batch support
# Interactive mode is typically required
echo "[*] Mount device for manual recovery"
sudo mount "$DEVICE" "$OUTPUT_DIR"
Verify Recovery Results
#!/bin/bash
RECOVERY_DIR=$1
echo "[*] Recovery Statistics:"
echo "Total files: $(find "$RECOVERY_DIR" -type f | wc -l)"
echo "Total size: $(du -sh "$RECOVERY_DIR" | cut -f1)"
echo "[*] File type distribution:"
find "$RECOVERY_DIR" -type f | sed 's/.*\.//' | sort | uniq -c
echo "[*] Largest files:"
find "$RECOVERY_DIR" -type f -exec du -h {} + | sort -rh | head -10
Recovery Report Generator
#!/bin/bash
RECOVERY_DIR=$1
REPORT_FILE="recovery_report_$(date +%Y%m%d_%H%M%S).txt"
{
echo "Recovery Report"
echo "Generated: $(date)"
echo "================================"
echo ""
echo "Statistics:"
echo "Total Files: $(find "$RECOVERY_DIR" -type f | wc -l)"
echo "Total Size: $(du -sh "$RECOVERY_DIR" | cut -f1)"
echo ""
echo "File Types:"
find "$RECOVERY_DIR" -type f | sed 's/.*\.//' | sort | uniq -c
echo ""
echo "Largest Files:"
find "$RECOVERY_DIR" -type f -exec du -h {} + | sort -rh | head -20
} > "$REPORT_FILE"
echo "[*] Report saved: $REPORT_FILE"
Forensic Best Practices
# Create forensic image before recovery
sudo dd if=/dev/sda of=backup_image.dd bs=4M status=progress
# Verify image integrity
md5sum backup_image.dd > backup_image.md5
md5sum -c backup_image.md5
Document Recovery Process
# Log all commands
script -a recovery_session.log
# Record device information
sudo fdisk -l > device_info.txt
sudo parted -l >> device_info.txt
# Document findings
date > recovery_notes.txt
echo "Recovery performed on $(date)" >> recovery_notes.txt
Chain of Custody
# Hash original storage device
sudo md5sum /dev/sda > original_hash.txt
# Hash recovered data
find recovered_files -type f -exec md5sum {} + > recovered_hashes.txt
# Document all actions
echo "Recovery timestamp: $(date)" > chain_of_custody.log
Troubleshooting
Permission Denied Errors
# TestDisk requires root
sudo testdisk /dev/sda
# Or use sudo for all commands
sudo photorec
Device Not Recognized
# Check device detection
lsblk
sudo fdisk -l
# Reconnect device
# Try different USB port
# Check with dmesg
dmesg | tail -20
Recovery Takes Too Long
# Consider drive size vs free space
# Large drives take time
# Monitor progress
watch -n 10 'df -h'
# Can pause and resume
# Save recovery state
Corrupted Recovery Output
# Verify filesystem integrity
fsck -n /dev/sda1
# Try different recovery options
# Use Deeper Search
# Test different filesystem types
# Consider professional recovery if critical
Safety Considerations
Avoid Writing to Source Device
# Never write to source during recovery
# Mount read-only
sudo mount -r /dev/sda1 /mnt/
# Use external storage for recovery
# Verify target has space
df -h /target_directory
Backup Before Modifications
# Always backup original partition table
sudo sfdisk -d /dev/sda > partitions.bak
# Backup boot sector
sudo dd if=/dev/sda of=bootsector.bak bs=512 count=1
# Verify backup
ls -la *.bak
- ddrescue — Data recovery with error handling
- Autopsy — Digital forensics framework
- Sleuth Kit — Forensic analysis toolkit
- photorec — File carving (included with TestDisk)
- fsck — Filesystem checking and repair
